From 21 December 2020, all providers of OTT services that offer their product in an EU member state are required to comply with the requirements of the European Electronic Communications Code (EECC), the Directive on privacy and electronic communications (ePrivacy Directive) and other European legal acts as well as the respective national legal peculiarities (see our collection of laws and regulations here).
The new legal requirements must be analysed and compliance measures be implemented under a systematic and structured approach. We thus recommend carrying out a gap analysis consisting of the seven steps described below. Far-reaching legal harmonisation basically allows for a Union-wide approach, which, however, must be supplemented by a process for implementing the respective national member state requirements.

Practical advice: A significant amount of the required work to ensure OTT providers’ compliance under the new regulatory regime is the same for every enterprise and does not require a customized approach. Therefore, making use of external support can create significant economies of scale that translate into both lower costs and substantial time savings.
For this very purpose, Schalast Rechtsanwälte and other renowned law firms have created an international network of law firms to provide clients with a one-stop-shop compliance solution for all EU member states.

Expand the headings below to find step-by-step instructions. While these steps represent a logical sequence of actions, their order should not be seen as unalterable. In particular where time is of the essence, it is possible to jump between steps for partial actions in the spirit of agile project management:

Each abstract legal requirement should be translated into a specific measure or a set of measures to be implemented. Such measures can have various characteristics and may include:
a) one-time measures (e.g., the revision and drafting of new contractual and other documents or the review and revision of service security),
b) the establishment of new internal processes and responsibilities (e.g., a process for the identification of security incidents and the corresponding notification of the respective national regulatory authority (NRA) as well as customers),
c) monitoring of regulatory activities of the EU commission, the NRAs and other relevant authorities, or
d) trainings to embed relevant knowledge in the company (e.g., training of staff on new processes; creation of awareness for new legal recourse options).

Practical advice: Some measures and processes may be subject to deviating requirements in EU member states as national legislators may make use of their national scope in different ways. However, a generalizing approach can still be taken by taking account of the most stringent requirements throughout all legislations. Naturally, the advantages of simplification must be considered against possible higher costs and other disadvantages in each case.

By determining the internal status quo, this step creates the counter basis to the requirements identified under steps one and two. Therefore, it should be equally detailed as the list of the targets.

Practical advice: At best, process documentations that already exist can be consulted.
Conducting the comparison between the status quo and the targets is the gap analysis in a narrower sense. The required compliance measures and the current internal processes and organizational structures are put next to each other to identify the necessary changes.
The necessary measures to be taken should largely follow from the translation of the legal requirements into actual targets carried out under step two. This step concludes the review process and leads to the implementation process.

When you reach this step, the review process has been completed. While steps 1 to 5 consist primarily of legal work, this step is mainly characterized by project organization and coordination. To allow for a time-efficient implementation process, we recommend to:

  • thematically bundle the necessary compliance measures,
  • allocate personal responsibilities, and
  • prepare a time-based implementation concept, in particular by definition of milestones.


Practical advice: Where time is of the essence, prioritisation is inevitable. To determine the most urgent measures to be taken and reduce liability risks efficiently, analyse the possible penalties for non-compliance with respect to each identified gap.
Furthermore, making use of the experienced external support can significantly increase the efficiency of the implementation process by making use of established best practices.

Congratulations! By implementation of the required measures, you take the final step to achieve your enterprise’s compliance.
Please note, however, that continuous compliance requires the ongoing monitoring of possible changes to the current legal regime. This aspect is of particular importance in the telecommunications sector as the involvement of the national regulatory authorities leads to continuous regulatory activities.

Practical advice: To save unnecessary costs, a centralised approach to monitoring legal and regulatory activities is highly recommended. This can be done by a business association. Alternatively, such monitoring can be outsourced to an external legal service provider.